Error messages in Windows are notorious for being especially unhelpful and uninformative, but Microsoft has set out to address this issue when users try to open a file or folder to which they don’t have sufficient access permissions. Access Denied Remediation (ADR), also known or as Access Denied Assistance, can be enabled on Windows Server 2012 file servers and allows organizations to configure customized access denied messages for Windows 8 users, including the ability to alert an administrator or the resource owner for further assistance. Today I will show you how to enable and configure this feature on Windows Server 2012 for your users.

Help for IT administrators and Users

One of the biggest problems associated with access denied messages is that to resolve the issue IT admins need to know the exact file or folder path, meaning that the administrator either has to search for the resource or walk the user through discovering the file path. Access Denied Remediation not only helps the user get a solution to the problem faster, but it also allows IT admins to respond more quickly.

Install File Server Resource Manager (FSRM)

While File and Print Services is installed on Windows Server by default, to manage advanced features of the role you’ll need to install the File Server Resource Manager (FSRM):

Log on to Windows Server 2012 as a local administrator.

Right-click the PowerShell icon on the desktop Taskbar and select Run as Administrator from the menu. Click Yes in the UAC prompt.

Note here that the –includeManagementTools parameter is optional. If you choose to omit it, you won’t be able to access the GUI File Server Resource Manager tool.

Sponsored

Configure the SMTP Server in FSRM

FSRM needs an SMTP server address to which it can forward error messages when users request help via email. Optionally, you can set a generic admin email to which all messages can be copied. In the PowerShell window, type:

The –MailCCAdmin parameter copies the email to the FSRM admin email address that we configured separately in the previous step. The –MailToOwner parameter copies the email to the designated owner of the data resource.

In the command line, I used a couple of macros: [Original File Path] and [Admin Email]. These are essentially predefined variables that allow you to customize the message according to the situation. [Original File Path] displays the file path that the user was trying to access in the message body, and [Admin Email] shows the admin email address configured in FSRM. There are two other macros that you can use: [Original File Path Folder] displays the parent folder of the file path that the user wanted to access, and [Data Owner Email] shows the recipient list configured for the file resource.

Enable Access Denied Remediation for All File Types on Windows 8

Before users will see ADR messages, you need to enable ADR for all file types on Windows 8 using Group Policy. The Access-Denied Assistance Group Policy settings also allow you configure ADR on Windows Server 2012. So if you have multiple file servers, this method may be preferable to using PowerShell or the FSRM management console.

Open Group Policy Management (GPMC) from the Tools menu in Server Manager.

In the left pane of GPMC, expand your forest and domain.

Right-click Group Policy Objects and select New from the menu.

Name the new GPO Access Denied Remediation and click OK in the New GPO dialog.

Select Group Policy Objects in the left pane of GPMC.

In the right pane, right-click the new Access Denied Remediation GPO and select Edit from the menu.